Skip to main content

Staff Sync in EUM V5

Devraj Banerjee
Updated

EUM V5 has the ability to sync your internal users as "Staff" to easily add them to groups managed by EUM. Below is the process to Sync the users:

  1. Navigate to the /EumAdmin site in EUM and sign in with a configuration editor account. Click onFederation_Clients_1.png
  2. In Federation Clients page click Add New Client button in the top left to add a new client New_Client.png
  3. Create a new client with the details as below: 
    1. Client Details tab: 
      1. Enable the Enable toggle 
      2. Put in “EUM_StaffSyncPowerShell” in Client ID and Client name 
      3. Put in “openid”, “profile”, “extranet_api_v4” in Scopes 
        Client_Details.png
    2. Secret Consent Logo tab: 
      1. Enable the Require client secret toggle 
      2. Put in a secret in the Secrets and keep a note of that for later use 
        ** Note: Please use alphanumeric characters only for the secret
        Secret_Consent_Logo.png
    3. Token Lifetime tab 
      Token_Lifetime.png
    4. Logout tab 
      Logout_Tab.png
    5. Client Grant Types tab – put in Client Credentials in the Client grant types 
      ClientGrantType.png
    6. Token Option tab - Enable Allow access token via browser and Always send client claims toggles 
      Token_Option_Tab.png
    7. Refresh tab
      Refresh_tab.png
    8. Click Save
  4. Access the SQL database to apply the following settings which cannot be created using the EUMAdmin application 
    1. Find the Id values for the client EUM_StaffSyncPowerShell created above.   
       
      SELECT ClientId, Id FROM Clients
    2. Enter records into ClientClaims for the EUM_StaffSyncPowerShell client Id
      Type Value
      sub EUM_Staff_SyncPS
      EUM_Staff_Sync True
  5. Run a PowerShell or an App for the Staff Sync. Users can be used as endpoint and filters can be applied in the PowerShell/App scripts to sync the correct users only. The PowerShell and App can be run following a schedule to have the EUM synced to AAD at regular intervals. The Staff users to be synced must have First Name, Last Name, and Email 

Sample PowerShell:

Write-Output "BEGIN EUM_StaffSyncPowerShell.ps1"

Add-Type -path ".\IdentityModel.dll"
Add-Type -path ".\Newtonsoft.Json.dll"
Add-Type -path ".\System.ValueTuple.dll"

$disco = [IdentityModel.Client.DiscoveryClient]::GetAsync("{EUM root URL}/idsrv").GetAwaiter().GetResult()
if ($disco.IsError) {
Write-Output $disco.Error
}

$tokenClient = New-Object IdentityModel.Client.TokenClient($disco.TokenEndpoint, "EUM_StaffSyncPowerShell", "mysecret")
$cancelToken = New-Object System.Threading.CancellationToken
$tokenResponse = [IdentityModel.Client.TokenClientExtensions]::RequestClientCredentialsAsync($tokenClient, "extranet_api_v4", $null, $cancelToken).GetAwaiter().GetResult()

if ($tokenResponse.IsError) {
Write-Output $tokenResponse.Error
}
Write-Output $tokenResponse.AccessToken

$client = New-Object System.Net.Http.HttpClient
[System.Net.Http.HttpClientExtensions]::SetBearerToken($client, $tokenResponse.AccessToken)

$response = $client.GetAsync("{EUM root URL}/_API/v4/staffsync?filter=userType%20eq%20'Member'&endpoint=users").GetAwaiter().GetResult()

if ($response.IsSuccessStatusCode) {
$content = $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()
$content
$conv = ConvertFrom-Json($content)
$conv
}
else {
Write-Output $response.StatusCode
$content = $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()
$content
}
Write-Output "END EUM_StaffSyncPowerShell.ps1"
  1. Before running the PowerShell put the script, and the below files in the same folder: 
    1. IdentityModel.dll 
    2. Newtonsoft.Json.dll 
    3. System.ValueTuple.dll 
  2. The IdentityModel.dll and Newtonsoft.Json.dll can be obtained from the IdentityServer folder of the installed EUM. 
  3. The System.ValueTuple.dll file can be obtained from the Extranet_API_V4\bin folder of the installed EUM. 
  4. In the sample PowerShell script replace {EUM root URL} with your EUM's root URL starting with https://. Replace mysecret with the secret created while creating the Federation Client "EUM_StaffSyncPowerShell" in EUMAdmin 

This sample PowerShell will sync all the users of "Member" type to EUM 

Once this is run you can search for users in EUMAdmin and check if the Staff Users are synced. 

The EUMAdmin dashboard also shows the recent sync processes in the Recent Process tab. Green ones for successful, red ones for failed syncs. 

Staff_Sync_Result.png

 

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk